In our recent articles, we highlighted that every significant and public attack exploited people to either get an initial foothold in a target organisation or as the entire attack vector. These attacks highlight the need for awareness as a top concern of security programmes.
However, the reality is that generic awareness materials are of little use. Just saying that you have an awareness programmeme, with standard content, does little good in taking advantage of the exposure the ongoing attacks are generating within your organisation and the general public.
Awareness programmes should incorporate Threat Intelligence, which provides digestable products of continuous adversary monitoring, organised research, and threat analysis. The result is timely and actionable information about the likely attack vectors and targets of your potential and actual attackers. This intelligence can be made compelling and relatable to audiences seeing similar attacks in the news.
Security awareness teams need to make their materials and focus relatable and directly relevant in order for them to be useful. Threat Intelligence, as described above, details the most useful information, while balancing nascence, relevance, and timeliness of the data.
The following recommendations provide some high level guidance on how to integrate Threat Intelligence into your awareness programmes.
Detail, within reason, real or imminent attacks against your organisation
One of the most frustrating aspects of implementing awareness programmes is that many people seem to believe that their organisation is an unlikely or uninteresting target, has a sufficient security programme in place that they don’t have to worry about potential attacks, or that it simply won’t happen to them. Therefore, security policies and guidelines are more of a nuisance than a valuable business function. While your intent should not be to scare people, there has to be an effort to communicate that there are issues that need to and can be addressed. With that realisation, people should hopefully believe that it can happen to them, and be motivated to take the right actions.
Use news events when you don’t have your own incidents to detail
Hacks like Anthem, Sony, Google, CENTCOMM, and just about any other newsworthy event seems to demonstrate time and time again that hacks are ongoing, and the direct result of a failure on a human level. This highlights that all of these organisations never thought it would happen to them, but they all became the victims of highly public and embarrassing attacks, which cost the organisations tens of millions of dollars.
The point to get across is that attacks that exploit the end users are ongoing and pervasive. They all represent that the threat is imminent.
Detail what to look out for
When you inform people that there is a likely threat, which provides the motivation to take action, you need to similarly inform them specifically about what they should be looking for. If an attack is imminent, such as the Syrian Electronic Army attack previously mentioned, you can inform your users that they should be on the lookout for phishing messages. You can tell them the type of messages to expect and provide examples of messages that have been previously employed by the attackers.
Also, many people were victimised by the Anthem hack. Those victimised by or aware of the compromise need to be made aware that they should expect phishing email messages taking advantage of the hack. This leverages the incident to increase overall user awareness.
Whatever the likely attack vector is, the information should be detailed with the employees in mind.
Specify how to react
Telling people what to look for does little more than promote annoyance or generate fear. Providing people with the actions to take if they perceive themselves to be under attack gives them control. The threat, actualisation, and prescribed actions should be specific and should include how to prevent the attack and who to report the potential incident to.
Clearly, when you tell people what to do or not to do, however that just prevents the attack from being successful against that individual. However, even a minimally committed attacker will move on to the next potential victim. When someone reports the attack in progress, the security team can then take actions to prevent the attack from being successful against less aware individuals.
For example, if there is a phishing message involved, the security team can delete copies of messages to other individuals off of the email server. If you know that people are being sent to a specific domain, you can block the domain. You can also send out a more specific message to all people informing them of the specific nature of the actual attack, which also helps people realise that attacks against your organisation are real.
Ensure the security team is aware of the intelligence and recommended actions
You should not take for granted that the security team might not be fully aware of the issues and how to respond. Too frequently there is an inaccurate assumption that people know how to respond and react correctly. The “security team” should be broadly defined to include the Help Desk (or whomever receives security-related calls), email administrators, web administrators, physical security, and any other group that might be responsible for taking an action if there is a potential attack.
These people need to know specifically what their responsibilities are. They need to know how to respond to users reporting potential attacks. They should know the specific actions to take in response to the pending attacks. Again, their actions depend upon their roles and responsibilities, but they should be well defined in advance. The last thing you want is for a user to properly respond to and report an incident, and then the people contacted do not know what to do.
Creating a culture of awareness, action, and communication improves both incident detection and response. Your user base becomes aware and active when it comes to potential attacks. This increases the effectiveness of the security team, exponentially growing its capacity to detect and respond to attacks.
In the ideal world, people should be constantly on the alert for potential attacks and know how to respond. Again, that is not what we experience in the real world. While we don’t wish that any organisation should be targeted, the fact is that just about every organisation is the potential victim of many ongoing attacks. The phishing scams resulting from the Anthem hack made many organisations a potential targets, and this attack is in no way unique.
However, these potential and actual attacks can be outstanding catalysts for making your awareness programmes incredibly effective. Don’t squander these ongoing, incredible opportunities.